My domain has about 1200 machines and would like a solution that I could push down with a GPO. An easy fix would be to add domain user to the local admin account. Any other suggestions?

I tried the Group Policy Setting described here but no dice.

"

Load and unload device drivers

This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users.

Caution

Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.

Default on workstations and servers: Administrators.

Default on domain controllers:
Administrators
Print Operators"

This not only happens with cheap USB Flash Drives but with mice and keyboards as well. The mice and Kb are not so much a problem for they can be installed once and done. But you cannot control the variety of flash sticks that come in.

so.. from your original link have you tried all them there solutions offered, especially the one pertaining to having the files usbstor.inf, usbstor.pnf, usbstor.sys in the default driver directory C:\Windows\system32\drivers\ and you checked the permission on those files ?

Also XP can have removable media controlled through an ADM template added to Active Directory, though Vista+ machines already have a GPO policy built-in.

The policy you mentioned above, if you've got the option to add users greyed out, this maybe because of a conflicting policy already in place. Check your OUs GPOs all the way up to the domain policy; it's not a bad practice to block inheritance at the route of your actual users and computers OUs to prevent the more restrictive polices from your domain controllers filtering down to your everyday people and pcs.

Check the local policy too on a workstation. If you've RIS'd an image with the local policies set a certain way you will have copied that to all workstations.

Can you add a user or group here as a test? Instead of looking up "users" from the domain try and add "Authenticated Users" from the local machine.... some ideas to look into anyway. Quie odd what you've got going on, our workstations are quite free to let removable storage in and out of systems even with the ,most standard of users.